b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Needs to Strengthen Its\n       Privacy Program\n       Management Controls\n\n       Report No. 2007-P-00035\n\n       September 17, 2007\n\x0cReport Contributors:\t            Rudolph M. Brevard\n                                 Charles Dade\n                                 Corey Costango\n\n\n\n\nAbbreviations\n\nCIO          Chief Information Officer\nEPA          U.S. Environmental Protection Agency\nFOIA         Freedom of Information Act\nOEI          Office of Environmental Information\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPII          Personally Identifiable Information\n\x0c                                                                                                        2007-P-00035\n                       U.S. Environmental Protection Agency                                        September 17, 2007\n                       Office of Inspector General\n\n\n                       At a Glance\n\n                                                                        Catalyst for Improving the Environment\n\nWhy We Did This Review            EPA Needs to Strengthen Its Privacy Program\nWe sought to determine what       Management Controls\nsteps the U.S. Environmental\nProtection Agency (EPA) took       What We Found\nto protect Personally\nIdentifiable Information.         Although EPA has made progress toward establishing its Privacy Program, the\nWe also sought to determine       program needs more emphasis. EPA needs to set up a more comprehensive\nthe extent to which EPA put in    management control structure to govern and oversee the program. In particular,\nplace a management structure      EPA needs to establish goals and activities for the Privacy Program and measure\nover the Agency\xe2\x80\x99s Privacy         progress. Further, EPA needs to update its Privacy Program policies and establish\nProgram.                          processes to manage and make these policies available to responsible EPA\n                                  personnel. Also, EPA needs to set up compliance and accountability processes to\n                                  ensure adherence with key Privacy Program tenets.\nBackground\n                                  These weaknesses existed because of the low priority EPA managers placed on the\nCongress passed the Privacy       Privacy Program. A major loss of privacy information could result in substantial\nAct of 1974 to protect            harm, embarrassment, and inconvenience to individuals. It could lead to identity\nindividual privacy. The Act       theft or other fraudulent use of the information, which in addition to harming the\nsets forth requirements for       individuals involved could be costly to the Agency and its reputation. Questions\nFederal agencies when they        on EPA\xe2\x80\x99s management of privacy data could also cast doubts over the processes\ncollect, maintain, or             EPA uses to oversee protection of the confidential business information it collects.\ndisseminate information about\nindividuals. Personally\nIdentifiable Information is any    What We Recommend\ninformation about an\nindividual maintained by an       We recommend that the EPA Office of Environmental Information\xe2\x80\x99s Director,\nagency \xe2\x80\x93 including                Office of Information Collection, establish goals and activities for the Agency\xe2\x80\x99s\nemployment, medical, and          Privacy Program. The Director should also establish and use performance\nfinancial information \xe2\x80\x93 that      measures for the program. Further, the Director should update the Agency\xe2\x80\x99s\ncan be used to trace an           Privacy Program policies and procedures, establish a process for managing\nindividual\xe2\x80\x99s identity.            compliance, and monitor compliance. We also recommend that this Director\n                                  work with the Office of Administration and Resources Management to develop\n                                  sample cascading goals and objectives that EPA managers can use to establish\n                                  Privacy Program accountability processes. The Agency agreed with the report\xe2\x80\x99s\nFor further information,\ncontact our Office of\n                                  findings and recommendations.\nCongressional and Public\nLiaison at (202) 566-2391.\n\nTo view the full report,\nclick on the following link:\nwww.epa.gov/oig/reports/2007/\n20070917-2007-P-00035.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n                                       September 17, 2007\n\nMEMORANDUM\n\nSUBJECT:       EPA Needs to Strengthen Its Privacy Program Management Controls\n               Report No. 2007-P-00035\n\n\nFROM:          Patricia H. Hill\n               Assistant Inspector General for Mission Systems\n\nTO:            Mark Luttner\n               Director, Office of Information Collection\n               Office of Environmental Information\n\n               Kenneth Venuto\n               Director, Office of Human Resources\n               Office of Administration and Resources Management\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $135,942.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed upon\nactions, including milestone dates. We have no objections to the further release of this report to\nthe public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Rudolph M. Brevard,\nDirector for Information Resources Management Assessments, at (202) 566-0893 or\nbrevard.rudy@epa.gov.\n\x0c                      EPA Needs to Strengthen Its Privacy Program Management Controls\n\n\n\n\n                                         Table of Contents \n\nPurpose ................................................................................................................................   1     \n\n\nBackground .......................................................................................................................         1 \n\n\nNoteworthy Achievements..................................................................................................                  1     \n\n\nScope and Methodology .....................................................................................................                2     \n\n\nResults of Review ................................................................................................................         2     \n\n\n             EPA Needs to Identify Program Goals and Activities and\n             Measure Progress ..................................................................................................           3\n\n             EPA Needs to Update Policy and Establish\n             Change Management and Distribution Processes ..................................................                               3\n\n             EPA Needs to Establish Compliance and Accountability Processes ......................                                         4     \n\n\n             Weaknesses Represent Internal Control Issues .....................................................                            5     \n\n\nRecommendations...............................................................................................................             5     \n\n\nAgency Response and OIG Comments .............................................................................                             6     \n\n\nStatus of Recommendations and Potential Monetary Benefits ......................................                                           7\n\n\n\n\nAppendices\n     A       OEI\xe2\x80\x99s Office of Information Collection Responses to Draft Report..................                                            9\n\n     B       Office of Administration and Resources Management\xe2\x80\x99s\n             Office of Human Resources Response to Draft Report.....................................                                       13\n\n     C       Distribution ...........................................................................................................      15\n\x0cPurpose\nWe sought to determine what steps the U.S. Environmental Protection Agency (EPA) took to\nprotect Personally Identifiable Information (PII). We also sought to determine the extent to\nwhich EPA put in place a management structure over the Agency\xe2\x80\x99s Privacy Program.\n\nBackground\nCongress passed the Privacy Act of 1974 to protect individual privacy. The Act sets forth the\nrequirements Federal agencies must follow when they collect, maintain, or use information about\nindividuals. The Act requires Federal agencies to respect the privacy of individuals. In this\nregard, agencies must collect the least amount of information necessary and put in place\nsafeguards to protect the information. Agencies must also allow individuals to inspect their files\nand correct any erroneous information.\n\nThe Office of Management and Budget (OMB) defines PII as any information about an\nindividual maintained by an agency that can be used to distinguish or trace an employee\xe2\x80\x99s\nidentity. This includes, but is not limited to, employment, medical, and financial information;\nsocial security numbers; date and place of birth; mother\xe2\x80\x99s maiden name; and any other personal\ninformation that is linked or linkable to an individual.\n\nEPA privacy officials stated that EPA\xe2\x80\x99s Office of General Counsel and Office of Administration\nand Resources Management were responsible for the Privacy Act function prior to Office of\nEnvironmental Information (OEI) taking over in 1999. The current EPA privacy policies were\nestablished in 1986 and 1987. Further, EPA privacy officials stated that OEI initiated the\ngroundwork for putting in place a Privacy Program by appointing a Privacy Act Officer in 1999.\nEPA also designated a Senior Agency Official for Privacy, who has overall responsibility and\naccountability for ensuring the Agency\xe2\x80\x99s implementation of information privacy protections,\nincluding the Agency\xe2\x80\x99s full compliance with Federal laws, regulations, and policies relating to\ninformation privacy. OEI tasked its Records, Freedom of Information Act (FOIA), and Privacy\nBranch with managing the program. The branch is part of the OEI\xe2\x80\x99s Office of Information\nCollection. The branch develops EPA\xe2\x80\x99s Privacy Program policies and procedures and oversees\nimplementation of the program.\n\nNoteworthy Achievements\nIn April 2003, privacy officials indicated OEI launched EPA\'s first Privacy Act Website and\nbegan to raise privacy awareness through training sessions, briefings, and conferences. In June\n2006, EPA established a PII workgroup in response to OMB memorandums regarding PII\nprotection. EPA privacy officials also said they established the workgroup to ensure that EPA\ndid everything reasonably possible to protect itself from the accidental or unauthorized release of\nPII. In addition, the Chief Information Officer (CIO) issued \xe2\x80\x9cCIO Policy Transmittal 06-011:\nInterim Policy and Procedures for Protecting Personally Identifiable Information (PII),\xe2\x80\x9d to\naddress PII protection concerns raised by OMB.\n\n\n\n\n                                                 1\n\n\x0cScope and Methodology\n\nWe conducted this audit from January through April 2007 at EPA headquarters in Washington,\nDC, in accordance with generally accepted government auditing standards. To determine steps\nEPA took to protect PII, we conducted a survey with EPA program and regional offices related\nto their efforts to put into place processes for protecting PII. Preliminary survey results indicated\nthis area requires further review. After preliminary research, we decided to suspend further work\non this objective and to examine this area further during the Fiscal Year 2007 Federal\nInformation Security Management Act audit.\n\nTo review the Privacy Program management structure, we interviewed EPA officials responsible\nfor the Agency\xe2\x80\x99s Privacy Program. We questioned EPA Privacy Program personnel regarding\nthe following management control areas:\n\n   \xe2\x80\xa2\t   Policies and procedures\n   \xe2\x80\xa2\t   Roles and responsibilities\n   \xe2\x80\xa2\t   Performance measurement\n   \xe2\x80\xa2\t   Program compliance\n   \xe2\x80\xa2\t   Accountability\n\nWe conducted followup interviews, and reviewed relevant documents. Based on information\ncollected during preliminary research, we identified several fundamental weaknesses that require\nmanagement\'s immediate attention. Therefore, we decided not to proceed into field work for this\nobjective area and are summarizing our results in this report.\n\nWe had not performed prior audits related to the management controls of EPA\xe2\x80\x99s Privacy\nProgram. As such, there were no recommendations to follow up on during this audit.\n\nResults of Review\nEPA privacy officials stated that EPA is in the process of updating its Privacy Program.\nHowever, the Agency needs to put into place a more comprehensive management control\nstructure to govern and support its Privacy Program. In particular, EPA needs to:\n\n   \xe2\x80\xa2\t Identify the Privacy Program\xe2\x80\x99s key goals and activities, and establish performance\n      measures to assess their progress.\n   \xe2\x80\xa2\t Update its Privacy Program policies and procedures, and establish processes to manage\n      and make all privacy policies available to EPA personnel.\n   \xe2\x80\xa2\t Put into place a process to monitor the Privacy Program.\n\nAccording to Agency officials, these program weaknesses existed because EPA placed a lower\npriority on the Privacy Program compared to other Office of Information Collection\nrequirements. Activities to strengthen the Privacy Program\xe2\x80\x99s internal control structure remain\nunfinished because of the lack of committed resources or management support. Thus, EPA lacks\nkey processes to proactively manage threats that put the Agency\xe2\x80\x99s privacy data at risk. A major\n\n\n\n                                                 2\n\n\x0closs of privacy information could result in substantial harm, embarrassment, and inconvenience\nto individuals. It could lead to identity theft or other fraudulent use of the information, which in\naddition to harming the individuals involved could be costly to the Agency and its reputation.\nQuestions on EPA\xe2\x80\x99s management of privacy data could also cast doubts on the processes EPA\nuses to oversee protection of the confidential business information it collects.\n\nEPA Needs to Identify Program Goals and Activities and Measure Progress\n\nEPA needs to identify the Privacy Program\xe2\x80\x99s key goals and activities, and establish performance\nmeasures to assess their progress.\n\nDuring discussions with EPA privacy officials, the officials identified some informal key goals\nand activities for establishing and overseeing the EPA Privacy Program. However, these key\ngoals and activities were not identified in any formal policy or strategy document. Without\nformal key goals and activities to guide the Privacy Program, EPA has no assurance the program\nwill be employed as intended.\n\nIn followup correspondence, privacy officials provided a copy of a draft privacy policy, the PII\nworkgroup action plan, and a portion of a Privacy Act program fact sheet. They indicated these\ndocuments contained information on key goals of the Privacy Program. While these documents\ndid identify some informal goals and activities, none of the items are recognized in OEI\xe2\x80\x99s\nmission and function manual for the Records, FOIA, and Privacy Branch.\n\nIn addition, EPA had not established performance measures for the informal key goals and\nactivities in order to monitor the Privacy Program progress. Without such performance\nmeasures, EPA cannot assess the progress of the Privacy Program.\n\nEPA Needs to Update Policy and Establish Change Management and\nDistribution Processes\n\nEPA needs to update its Privacy Program policies and establish change management and\ndistribution processes for these policies. The current Privacy Program policy is outdated and\nlacks the specificity needed for duties and responsibilities to be performed uniformly throughout\nthe Agency. EPA privacy officials are currently in the process of drafting a new comprehensive\nprivacy policy and associated procedures and these documents should contain some key\ncomponents. For example, the new policy and procedures need to provide a consistent means of\nconducting the work throughout the Agency. Also, the privacy policy and procedures should not\nonly describe who is responsible for what at a high level, but should:\n\n   \xe2\x80\xa2   Clearly describe lower-level assigned responsibilities (i.e., who is responsible, what\n       specifically they are responsible for doing, and how they are expected to do it).\n   \xe2\x80\xa2   Establish minimum requirements with which all program/regional offices must comply.\n\nIn addition, privacy officials did not have a formal process to manage changes in privacy policies\nand procedures. It is essential that OEI\xe2\x80\x99s Records, FOIA, and Privacy Branch has formal\nprocesses in place for managing and ensuring that appropriate changes to its privacy policies and\n\n\n\n                                                  3\n\n\x0cprocedures are made in a timely manner (e.g., updates from OMB, changes in regulations, and\nchanges in roles and responsibilities).\n\nFurther, EPA needs to make privacy policies and procedures available to responsible personnel.\nAgency privacy officials identified two projects that they envisioned would fulfill this role.\nThey plan to establish an intranet site that would provide personnel with access to privacy\npolicies and procedures. Officials also plan to establish a privacy liaison contact within each\nEPA program and regional office to ensure key documents are distributed. During our review,\nEPA had not accomplished either of these actions. In a followup response, Agency privacy\nofficials said EPA had delayed development of the intranet site due to issues with funding,\npersonnel, and emerging office priorities. They plan to implement the site in the first quarter of\nFiscal Year 2008.\n\nEPA Needs to Establish Compliance and Accountability Processes\n\nEPA needs to establish a monitoring process to ensure that managers and employees are\nimplementing and complying with key tenets of the Privacy Program. Further, the Agency needs\nto institute a formal process for holding employees and managers accountable for adhering to\nEPA\xe2\x80\x99s policies. EPA\xe2\x80\x99s privacy officials indicated they plan to monitor compliance by:\n\n   \xe2\x80\xa2\t Establishing responsibilities for Liaison Privacy Officials to perform oversight at the\n      regional and program levels.\n   \xe2\x80\xa2\t Reviewing Agency forms (both old and new) to ensure the Agency is not collecting\n      unnecessary PII.\n   \xe2\x80\xa2\t Performing reviews via onsite program visits.\n\nHowever, EPA has not initiated these activities or formally established a target date for their\nimplementation.\n\nEPA also needs to establish processes to hold employees and managers accountable for\nadhering to Agency privacy policies. EPA privacy officials said they plan to establish\naccountability through training, applying incident handling reporting policies, and\nincluding a notice to employees of potential sanctions for noncompliance with privacy\npolicy. However, these methods do not establish a process for holding employees and\nmanagers accountable for adhering to Agency policies. Normally training is a means to\ndisseminate information rather than hold people accountable. Also, the incident handling\npolicy does not outline a means to hold Agency employees accountable. Further, the\nnotice to employees described only addressed instances when Privacy Act information\nwas actually disclosed to unauthorized personnel. It did not focus on cases where\nmanagers and employees are not following Agency policies and procedures intended to\nlimit the risk of disclosure, regardless of whether disclosure actually occurred. Also,\nthese planned methods do not identify processes for linking privacy responsibilities to the\nperformance plans developed under the Agency\xe2\x80\x99s Performance Appraisal and\nRecognition System.\n\n\n\n\n                                                 4\n\n\x0cWeaknesses Represent Internal Control Issues\n\nThe noted weaknesses are internal control issues within the Privacy Program. According to\nOMB Circular A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control,\xe2\x80\x9d management is\nresponsible for developing and maintaining internal control systems that comply with the\nfollowing standards:\n\n   \xe2\x80\xa2\t Control Activities: policies, procedures, and mechanisms in place to help ensure that\n      agency objectives are met.\n   \xe2\x80\xa2\t Information and Communication: information should be communicated to relevant\n      personnel at all levels within an organization. The information should be relevant,\n      reliable, and timely.\n   \xe2\x80\xa2\t Monitoring: periodic assessments should be part of management\xe2\x80\x99s continuous monitoring\n      of internal control.\n\nIn addition, the \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d issued by the\nGovernment Accountability Office in 1999, indicate that control activities include techniques\nand mechanisms for enforcing management\'s directives. Internal controls include establishing\ntechniques and mechanisms for holding personnel \xe2\x80\x9caccountable\xe2\x80\x9d for doing their assigned\nresponsibilities and complying with management directives. In OMB Circular A-130 and OMB\nMemorandum M-07-16, OMB makes it clear that the agency is required to inform and train\nmanagers, supervisors, and employees of their respective responsibilities and the consequences\nand accountability for violation of these responsibilities. OMB requires agencies to develop and\nimplement appropriate policies outlining the rules of behavior and identifying consequences and\ncorrective actions available for failure to follow rules.\n\nRecommendations\nWe recommend that the EPA Office of Environmental Information\xe2\x80\x99s Director, Office of\nInformation Collection:\n\n   1.\t Establish and formally document key goals and activities for OEI\xe2\x80\x99s Records, FOIA, and\n       Privacy Branch associated with EPA\xe2\x80\x99s Privacy Program.\n\n   2.\t Establish and track performance measures associated with OEI\xe2\x80\x99s Records, FOIA, and\n       Privacy Branch key privacy goals and activities and measure Privacy Program progress.\n\n   3.\t Develop a performance measurement report and share results with the Senior Agency\n       Official for Privacy on at least a quarterly basis. Make performance measurement reports\n       available to EPA offices responsible for implementing the Privacy Program.\n\n   4.\t Update, implement, and communicate EPA\xe2\x80\x99s privacy policies and procedures and ensure\n       they adequately address key tenets of the Privacy Program, including clearly\n       communicating:\n           a.\t the minimum requirements with which all program/regional offices must comply.\n           b.\t the roles and responsibilities of all applicable personnel.\n\n\n                                               5\n\n\x0c           c.\t how the assigned personnel are to specifically perform the work in sufficient\n               detail to ensure the work will be conducted consistently throughout the Agency.\n           d.\t the consequences to personnel for not complying with policies and procedures.\n\n   5.\t Identify positions/job types with key Privacy Program responsibilities and develop\n       appropriate sample cascading goals and objectives that EPA managers can use to\n       establish Privacy Program accountability processes within their respective offices.\n       Provide the developed guidance to the Office of Human Resources prior to distributing to\n       Agency personnel for incorporation into the Agency\xe2\x80\x99s Performance Appraisal and\n       Recognition System.\n\n   6.\t Develop, maintain, and publish a roster of Agency personnel designated to fill key\n       Privacy Program positions/job types. Make the roster available to EPA personnel.\n\n   7.\t Develop and implement processes for managing EPA privacy policies and procedures to\n       ensure they are updated with appropriate changes.\n\n   8.\t Establish a means of making Agency privacy policies and procedures accessible to EPA\n       personnel.\n\n   9.\t Establish a monitoring and oversight process to help ensure that managers and employees\n       are implementing and complying with the established Agency privacy policies and\n       procedures.\n\nWe also recommend that the EPA Office of Administration and Resources Management\xe2\x80\x99s\nDirector, Office of Human Resources:\n\n   10. Incorporate the guidance developed in response to Recommendation 5 within the\n       Agency\xe2\x80\x99s Performance Appraisal and Recognition System and publish the guidance on\n       the Office of Human Resources\xe2\x80\x99 Performance Appraisal and Recognition System\n       Website.\n\nAgency Response and OIG Comments\nThe Director for the Office of Information Collection concurred with our report findings and\nrecommendations. The Director indicated plans are in place to address a number of the\nrecommendations. The Director for the Office of Human Resources indicated the office plans to\nwork with the Office of Information Collection to develop and make available sample cascading\ngoals and objectives that EPA managers can use to establish Privacy Program accountability\nprocesses within their respective offices.\n\nAppendix A contains the Director of the Office of Information Collection\xe2\x80\x99s August 28, 2007,\nresponse to our formal draft report, as well the July 19, 2007, response to our discussion draft\nreport. Appendix B contains the Director of the Office of Human Resources\xe2\x80\x99 response to our\nformal draft report.\n\n\n\n\n                                                 6\n\n\x0c                           Status of Recommendations and\n                             Potential Monetary Benefits\n\n                                                                                                                               POTENTIAL MONETARY\n                                              RECOMMENDATIONS                                                                   BENEFITS (in $000s)\n\n                                                                                                                   Planned\nRec.   Page                                                                                                       Completion   Claimed    Agreed To\nNo.     No.                         Subject                           Status1          Action Official               Date      Amount      Amount\n\n 1      5\t    Establish and formally document key goals and             O       Director, Office of Information\n              activities for OEI\xe2\x80\x99s Records, FOIA, and Privacy                        Collection, Office of\n              Branch associated with EPA\xe2\x80\x99s Privacy Program.                      Environmental Information\n\n 2      5\t    Establish and track performance measures                  O       Director, Office of Information\n              associated with OEI\xe2\x80\x99s Records, FOIA, and Privacy                       Collection, Office of\n              Branch key privacy goals and activities and                        Environmental Information\n              measure Privacy Program progress.\n\n 3      5\t    Develop a performance measurement report and              O       Director, Office of Information\n              share results with the Senior Agency Official for                      Collection, Office of\n              Privacy on at least a quarterly basis. Make                        Environmental Information\n              performance measurement reports available to\n              EPA offices responsible for implementing the\n              Privacy Program.\n\n 4      5\t    Update, implement, and communicate EPA\xe2\x80\x99s                  O       Director, Office of Information\n              privacy policies and procedures and ensure they                        Collection, Office of\n              adequately address key tenets of the Privacy                       Environmental Information\n              Program, including clearly communicating:\n                a. the minimum requirements with which all\n                   program/regional offices must comply.\n                b. the roles and responsibilities of all applicable\n                   personnel.\n                c. how the assigned personnel are to\n                   specifically perform the work in sufficient\n                   detail to ensure the work will be conducted\n                   consistently throughout the Agency.\n                d. the consequences to personnel for not\n                   complying with policies and procedures.\n\n 5      6\t    Identify positions/job types with key Privacy             O       Director, Office of Information\n              Program responsibilities and develop appropriate                       Collection, Office of\n              sample cascading goals and objectives that EPA                     Environmental Information\n              managers can use to establish Privacy Program\n              accountability processes within their respective\n              offices. Provide the developed guidance to the\n              Office of Human Resources prior to distributing to\n              Agency personnel for incorporation into the\n              Agency\xe2\x80\x99s Performance Appraisal and Recognition\n              System.\n\n 6      6\t    Develop, maintain, and publish a roster of Agency         O       Director, Office of Information\n              personnel designated to fill key Privacy Program                       Collection, Office of\n              positions/job types. Make the roster available to                  Environmental Information\n              EPA personnel.\n\n 7      6\t    Develop and implement processes for managing              O       Director, Office of Information\n              EPA privacy policies and procedures to ensure                          Collection, Office of\n              they are updated with appropriate changes.                         Environmental Information\n\n\n\n\n                                                                            7\n\n\x0c                                                                                                                                 POTENTIAL MONETARY\n                                                   RECOMMENDATIONS                                                                BENEFITS (in $000s)\n\n                                                                                                                     Planned\n    Rec.    Page                                                                                                    Completion   Claimed    Agreed To\n    No.      No.                         Subject                        Status1          Action Official               Date      Amount      Amount\n\n     8        6     Establish a means of making Agency privacy            O       Director, Office of Information\n                    policies and procedures accessible to EPA                          Collection, Office of\n                    personnel.                                                     Environmental Information\n\n     9        6     Establish a monitoring and oversight process to       O       Director, Office of Information\n                    help ensure that managers and employees are                        Collection, Office of\n                    implementing and complying with the established                Environmental Information\n                    Agency privacy policies and procedures.\n\n    10        6     Incorporate the guidance developed in response to     O         Director, Office of Human\n                    Recommendation 5 within the Agency\xe2\x80\x99s                               Resources, Office of\n                    Performance Appraisal and Recognition System                        Administration and\n                    and publish the guidance on the Office of Human                 Resources Management\n                    Resources\xe2\x80\x99 Performance Appraisal and\n                    Recognition System Website.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending;\n\n     C = recommendation is closed with all agreed-to actions completed;\n\n     U = recommendation is undecided with resolution efforts in progress \n\n\n\n\n\n                                                                              8\n\n\x0c                                                                                      Appendix A\n\n               OEI\xe2\x80\x99s Office of Information Collection \n\n                    Responses to Draft Report \n\n                                        August 28, 2007\n\nMEMORANDUM\n\nSUBJECT:       Response to Draft Audit Report: EPA Needs to Strengthen Its Privacy Program\n               Management Controls Assignment No. 2207-000175\n\nFROM:          Mark A. Luttner, Director\n               Office of Information Collection\n\nTO:            Rudolph M. Brevard, Director\n               Information Resources Management Assessments\n\n      As before, I want to thank you for the opportunity to provide comments on the draft audit\nreporting the findings of your review of EPA\xe2\x80\x99s privacy activities (Assignment # 2007-000175).\nIn addition to the comments I submitted to you on July 19th, 2007, which still stand, I would also\nlike to add the following:\n\n   1.\t Along with formally establishing the Agency\xe2\x80\x99s National Privacy Program, and\n       communicating roles and responsibilities for all Agency employees, EPA\xe2\x80\x99s new Privacy\n       Policy will establish accountabilities and consequences for noncompliance and will\n       integrate privacy and security oversight responsibilities. This new policy will also\n       establish a breach notification response plan to mitigate the risk of harm to individuals if\n       a breach should occur. As stated in my earlier response, this policy is expected to be\n       implemented in the 1st quarter of FY 2008.\n\n   2.\t In conjunction with the comments we have already submitted regarding your\n       recommendation to Update Privacy Policy and Establish Change Management and\n       Distribution Processes, I would like to underscore that the Privacy Act Intranet Website\n       will also be used as a primary communication tool for the Liaison Privacy Officials\n       (LPO\xe2\x80\x99s) network and all Agency employees. The information maintained on this site will\n       be used to keep individuals up-to-date on changes in management, policy and procedures.\n       Among other things, this site will include: the Privacy Program\xe2\x80\x99s mission and function\n       statements, milestones with projected completion dates, rules of behavior, the procedures\n       manual for implementation of the Privacy policy, a listing of Privacy Act systems of record\n       due for re-evaluation, a listing of onsite system reviews and dates of their next planned\n       review, PII breaches, and copies of the quarterly privacy reporting under FISMA.\n\n        Again, I appreciate the opportunity to provide comments on your draft findings. Please\nfeel free to contact me on 202-566-1628.\n\n\n\n                                                  9\n\n\x0c                                          July 19, 2007\n\nMEMORANDUM\n\nSUBJECT:\t Response to Draft Discussion Audit Report: EPA Needs to Strengthen Its Privacy\n          Program Management Controls (Assignment No. 2207-000175)\n\nFROM: \t        Mark A. Luttner\n               Director, Office of Information Collection\n\nTO: \t          Rudolph M. Brevard\n               Director, Information Resources Management Assessments\n               Office of the Inspector General\n\n\n     Thank you for the opportunity to provide comments on the draft discussion report on the\nfindings of your review of EPA\xe2\x80\x99s privacy activities. As mentioned in the draft report, EPA is in\nthe process of establishing a more comprehensive privacy program. While there remain areas for\nimprovement, significant strides have been made to protect the personally identifiable\ninformation (PII) in the Agency\xe2\x80\x99s possession. The Agency is aware of its vulnerabilities and is\nworking to mitigate existing privacy weaknesses with available resources.\n\n    EPA is not unlike many other federal agencies rallying to put measures in place to decrease\nand protect its PII collections in the wake of the Veterans Administration\xe2\x80\x99s massive loss of such\nPII last year. Recognizing its own vulnerabilities, the Agency established a PII Workgroup in\nJune 2006 under the Quality and Information Council (QIC) to identify and implement short- and\nlong-term actions to protect Agency PII from disclosure, including determining the necessity of\nexisting and new PII collection activities. The workgroup developed an action plan with\nmilestones and has completed several critical activities which reduce the Agency\xe2\x80\x99s risk to\nunauthorized access and disclosure of privacy information.\n\n     When the responsibility for addressing EPA\xe2\x80\x99s privacy activities was transferred to OEI from\nthe Office of General Counsel in 1999, the function primarily consisted of managing the\nAgency\xe2\x80\x99s system of records activities and complying with the 1998 Presidential Order directing\nagencies to determine if they were in compliance with specific Privacy Act requirements. The\nPrivacy Act Officer, appointed in 2000, managed these largely administrative processes.\nHowever, the passage of the E-Government Act of 2002, new FISMA reporting requirements,\nOMB E-Government scorecards, and growing concerns with identify theft and other privacy-\nrelated concerns have expanded the role and responsibilities of the Privacy Act Officer and the\nneed to develop strong internal control structures for protecting privacy information.\n\n      EPA\xe2\x80\x99s new internal control structures, to a large degree, are set forth in its new Privacy\nPolicy, which we expect to submit to the QIC this quarter. The Policy will bring the necessary\ndirection, guidance and requirements for safeguarding the collection, use, dissemination and\nstorage of PII. The overarching Policy formally establishes the Agency\xe2\x80\x99s National Privacy\n\n\n\n                                                10\n\n\x0cProgram, communicates roles and responsibilities for all Agency employees, establishes\naccountabilities and penalties, and integrates privacy and security oversight responsibilities. We\nexpect that the policy will begin to be implemented in the 1st Quarter of FY 2008.\n\n     I am pleased to report that the Agency made significant progress in the past twelve months\naddressing many of the weaknesses identified by the OIG in its draft audit report. Many of the\nactions to address your recommendations are already underway or nearly completed.\nSpecifically, the OIG recommended that the Agency:\n\n   \xe2\x80\xa2\t Create Program Goals and Activities and Measure Progress.\n      The PII Workgroup\xe2\x80\x99s Action Plan itemizes the program\xe2\x80\x99s key goals and activities. We\n      agree that performance measures for the major activities are needed to assess the\n      progress of the larger program when it is established.\n\n   \xe2\x80\xa2\t Update Privacy Policy and Establish Change Management and Distribution \n\n      Processes. \n\n      The Agency is currently updating its privacy policy and procedures. The policy describes\n      responsibilities at a high level and the accompanying procedures describe these\n      responsibilities in more detail and how to perform them. The procedures are being\n      coordinated with the OEI Security Staff. The policy and procedures will be made\n      available to employees on the Agency\xe2\x80\x99s Privacy Act Intranet Web site when it is deployed\n      in the 1st Quarter of FY 2008.\n\n   \xe2\x80\xa2\t Establish Compliance and Accountability Process.\n      The Privacy Policy defines the roles and responsibilities of Agency offices, senior\n      officials, managers and employees. It establishes the requirement for offices to designate\n      Liaison Privacy Officials (currently being identified by the programs and regions) to\n      support EPA\xe2\x80\x99s management and oversight of its privacy responsibilities. LPOs will\n      provide guidance to their offices and day-to-day oversight with respect to Agency privacy\n      requirements and initiatives. The LPOs will serve as the Privacy Act Officer\xe2\x80\x99s support\n      for ensuring that privacy policies, guidance and related information are broadly\n      communicated and will be the points of contact for responding to privacy data calls. The\n      Privacy Act Officer will meet with these individuals on a regular basis. The Privacy Act\n      Officer and OEI Security Staff will work collaboratively to ensure compliance through\n      FISMA reviews and onsite visits. The Privacy Policy will include sanctions for non-\n      compliance.\n\n       The PII Workgroup has nearly completed its review of forms to identify unnecessary PII\n       elements and has met with OARM representatives to better understand the forms\n       management process in order to provide guidance to programs that need to revise forms.\n\n       The PII Action Plan identifies program monitoring as an \xe2\x80\x9congoing activity\xe2\x80\x9d. Onsite\n       reviews will begin in the 1st Quarter of FY 2008.\n\n\n\n\n                                                11\n\n\x0c        Again, I appreciate the opportunity to provide comments on your draft findings. Please\nfeel free to contact me or Deborah Williams (566-1659) if you have any questions about this\nmemorandum.\n\ncc:    \tAndrew Battin\n       Sara Hisel-McCoy\n       Deborah Williams\n       Judy Hutt\n       Myra Galbreath\n       Marian Cody\n\n\n\n\n                                               12\n\n\x0c                                                                                 Appendix B\n\nOffice of Administration and Resources Management\xe2\x80\x99s \n\nOffice of Human Resources Response to Draft Report \n\n                                       August 29, 2007\n\nMEMORANDUM\n\n\nSUBJECT:      Comments on EPA\xe2\x80\x99s Privacy Program Audit Draft Report\n\n                     /s/\nFROM:         Kenneth T. Venuto, Director\n              Office of Human Resources\n\nTO:           Rudolph M. Brevard, Director\n              Information Resources Management Assessments\n              Office of the Inspector General\n\n       Thank you for the opportunity to comment on EPA\'s Privacy Program Audit\nDraft Report. The Office of Human Resources recommends the following substitute\nlanguage for recommendations #5 and #10 and the "At a Glance" cover page:\n\nRecommendation for #5. "Identify positions/job types with key Privacy Program\nresponsibilities and develop appropriate samples of cascading goals and objectives that\nEPA managers can use to establish Private Act accountability processes within their\nrespective offices. These samples should be submitted to the Office of Human Resources\nfor review and approval prior to distributing to appropriate senior executives and\nmanagers for consideration."\n\n"We recommend that the EPA Office of Administration and Resources Management\'s\nDirector, Office of Human Resources (OARM/OHR):\n\nRecommendation for #10. "Work with OEI to finalize appropriate sample guidance for\nmanagers to use when implementing performance standards for position/job types with\nkey Privacy Program responsibilities. The approved guidance should be posted on OEI\'s\nwebsite. For re-enforcement, the link to OEI\'s website should also be posted on the OHR\nPerformance Appraisal and Recognition System (PARS) intranet website."\n\nRecommendation for "At a Glance" cover page.\n\nIn order to make the "At a Glance" cover page consistent with the above\nrecommendations for #5 and #10 of the Draft Report, I recommend the following new\nlanguage for the last sentence of the "What We Recommend" section:\n\n\n\n                                              13\n\n\x0c                                                2\n\n\n\n\xe2\x80\x9cWe also recommend that the Office of Environmental Information\xe2\x80\x99s Director, Office of\nInformation Collection work with the Office of Administration and Resources management\xe2\x80\x99s\nDirector, Human Resources, to develop appropriate samples of cascading goals and objectives\nthat EPA managers can use for employees with key Privacy Program responsibilities within their\nrespective office and to establish appropriate methods to communicate these samples.\xe2\x80\x9d\n\n          Again, thank you for the opportunity to comment on EPA\xe2\x80\x99s Privacy program Audit Draft\nReport.\n\n\n\n\n                                               14\n\n\x0c                                                                             Appendix C\n\n                                   Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information\nAssistant Administrator for Administration and Resources Management\nDirector, Office of Information Collection, Office of Environmental Information\nDirector, Office of Human Resources, Office of Administration and Resources Management\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nAudit Followup Coordinator, Office of Environmental Information\nAudit Followup Coordinator, Office of Administration and Resources Management\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nOffice of General Counsel\nActing Inspector General\n\n\n\n\n                                            15\n\n\x0c'